…but your customers are the target...case #2 commandeered email account (mr. vitello, all-ways...

YOU’VE BEEN PWNED……but your customers are

the target

Lessons learned from attacks against the power grid.

Christopher HickernellSecurity Architect

linkedin.com/in/christopherhickernell

@cahickernell17 years of experience

B.S. Information Systems

M.S. Information Security

CISSP, CCSP, GSLC, CCNA R&S, CCNA Security, Security+

Source Article

THE WALL STREET JOURNAL

Published Jan 10, 2019

By Rebecca Smith and Rob Barry

3

Source Article

THE WALL STREET JOURNAL

Published Jan 10, 2019

By Rebecca Smith and Rob Barry

4

Source Article

THE WALL STREET JOURNAL

Published Jan 10, 2019

By Rebecca Smith and Rob Barry

5

Attack Timeline

2017

Early MARCH

2018

Late MARCH Early JUNE OCTOBER

“Control Engineering” website hacked to capture visitor’s

passwords

Late JUNEDECEMBER

2016 2017

APRIL

2017 2017 2017

Attack Timeline

2017

Early MARCH

2018

Late MARCH Early JUNE OCTOBER

“Control Engineering” website hacked to capture visitor’s

passwords

All-Ways Excavating email compromised

Late JUNEDECEMBER

2016 2017

APRIL

2017 2017 2017

Attack Timeline

2017

Early MARCH

2018

Late MARCH Early JUNE OCTOBER

“Control Engineering” website hacked to capture visitor’s

passwords

All-Ways Excavating email compromised

All-Ways customers are phished, directing them

to another credential harvesting website

Dan Kauffman Excavating is compromised

Late JUNEDECEMBER

2016 2017

APRIL

2017 2017 2017

Attack Timeline

2017

Early MARCH

2018

Late MARCH Early JUNE OCTOBER

“Control Engineering” website hacked to capture visitor’s

passwords

All-Ways Excavating email compromised

All-Ways customers are phished, directing them

to another credential harvesting website

Dan Kauffman Excavating is compromised

Late JUNEDECEMBER

2016 2017

Corvallis, Ore.-based firm is compromised

APRIL

2017 2017 2017

Attack Timeline

2017

Early MARCH

2018

Late MARCH Early JUNE OCTOBER

“Control Engineering” website hacked to capture visitor’s

passwords

All-Ways Excavating email compromised

All-Ways customers are phished, directing them

to another credential harvesting website

Dan Kauffman Excavating is compromised

Late JUNEDECEMBER

2016 2017

Corvallis, Ore.-based firm is compromised

APRIL

2017 2017 2017

Corvallis network and fake email persona used to phish

DeVange Construction

Fake DeVange email used to send malicious attachments

to utilities

Attack Timeline

2017

Early MARCH

2018

Late MARCH Early JUNE OCTOBER

“Control Engineering” website hacked to capture visitor’s

passwords

All-Ways Excavating email compromised

All-Ways customers are phished, directing them

to another credential harvesting website

Dan Kauffman Excavating is compromised

Kauffman mailbox used to send 2,300 phishing emails containing

a fake Dropbox link

Late JUNEDECEMBER

2016 2017

Corvallis, Ore.-based firm is compromised

APRIL

2017 2017 2017

Corvallis network and fake email persona used to phish

DeVange Construction

Fake DeVange email used to send malicious attachments

to utilities

Attack Timeline

2017

Early MARCH

2018

Late MARCH Early JUNE OCTOBER

“Control Engineering” website hacked to capture visitor’s

passwords

All-Ways Excavating email compromised

All-Ways customers are phished, directing them

to another credential harvesting website

Dan Kauffman Excavating is compromised

Kauffman mailbox used to send 2,300 phishing emails containing

a fake Dropbox link

Power Grid compromised

Late JUNEDECEMBER

2016 2017

Corvallis, Ore.-based firm is compromised

APRIL

2017 2017 2017

Corvallis network and fake email persona used to phish

DeVange Construction

Fake DeVange email used to send malicious attachments

to utilities

Attack Timeline

2017

Early MARCH

2018

Late MARCH Early JUNE OCTOBER

“Control Engineering” website hacked to capture visitor’s

passwords

All-Ways Excavating email compromised

All-Ways customers are phished, directing them

to another credential harvesting website

Dan Kauffman Excavating is compromised

Kauffman mailbox used to send 2,300 phishing emails containing

a fake Dropbox link

Power Grid compromised

Late JUNEDECEMBER

2016 2017

Corvallis, Ore.-based firm is compromised

APRIL

Attackers still active

2017 2017 2017

Corvallis network and fake email persona used to phish

DeVange Construction

Fake DeVange email used to send malicious attachments

to utilities

CASE STUDIES

Case #1Malicious file uploaded onto the website for trade journals (CFE Media LLC).

Website code harvested usernames and passwords from visitors.

MITRE ATT&CK

Initial Access: Exploit Public-

facing Application

Countermeasure

File Integrity Checking

Application Isolation

Web application firewall

Log monitoring

Target

Website for trade journals

Case #2Commandeered email account (Mr. Vitello, All-Ways Excavating USA) was used to send messages to customers. Message sent recipients to a malicious website (imageliners.com) that looked like Dropbox.

MITRE ATT&CK

Persistence: Valid

accounts

Countermeasure

Email filtering

Multi-factor authentication

Expiring passwords

Target

Business Email

Case #3Mr. Vitello's email account was used by the attackers multiple times, even responding to customer's inquiries about the strange messages they were receiving from Mr. Vitello.

MITRE ATT&CK

Persistence: Valid

accounts

Countermeasure

Incident Response

Clean-up and prevention

Target

Business Email

Case #4Harvested credentials were used to gain access to Corvallis network and attackers modified the Internet firewall, undetected.

MITRE ATT&CK

Persistence: Valid

accounts

Countermeasure

Monitor system changes

Target

Network Firewall

Case #5Attackers accessed the Corvallis network multiple times from foreign countries (Turkey, France, Netherlands).

MITRE ATT&CK

Persistence: Valid

accounts

Countermeasure

Geo-fencing

Geo-blocking

Target

Corporate Network

Case #6Attackers visited corporate VPN login pages.

MITRE ATT&CK

Initial Access:External Remote

Services

Persistence: Valid accounts

Countermeasure

Multi-factor authentication

Target

VPN Login

Case #7Attackers used fake personas to send emails to utility companies with malicious attachments (resumes).

MITRE ATT&CK

Persistence:Create Account

Persistence: Valid accounts

Countermeasure

Email Security(Spam, Anti-spoof, Anti-malware,

Sandbox, URL Re-writing)

End-user Awareness

Client Security

Target

Business Email

Case #8Attackers penetrated the control-system area of utilities through poorly protected jump boxes.

MITRE ATT&CK

Persistence: Valid accounts

Lateral Movement:Remote Desktop

Protocol

Countermeasure

Endpoint Security

Detection & Response

Secure Baseline Configuration

Target

Endpoint

Case #9All-Ways Excavating was again hacked. Industry experts say Russian government hackers likely remain inside some systems, undetected and awaiting further orders.

MITRE ATT&CK

Persistence: Valid accounts

Persistence:Account

Manipulation

Countermeasure

Incident response

User Behavior Analysis

Deception

Honeypot/Honeynet/Honeycred

Target

Business Network

QuestionsStories

Tech

In a cyber world,every business can be targeted.

So…Be Brilliant

onThe Basics